Exam Title

: Guidance Software GD0-110 : Certification Exam for EnCE Outside North America

Version : R6.1

www.Prepking.com

Prepking - King of Computer Certification Important Information, Please Read Carefully

Other Prepking products A) Offline Testing engine Use the offline Testing engine product to practice the questions in an exam environment. B) Study Guide (not available for all exams) Build a foundation of knowledge which will be useful also after passing the exam. Latest Version We are constantly reviewing our products. New material is added and old material is updated. Free updates are available for 90 days after the purchase. You should check your member zone at Prepking and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1.Go towww.Prepking.com 2.Click on Member zone/Log in (right side) 3. Then click My Account 4.The latest versions of all purchased products are downloadable from here. Just click the links. For most updates,it is enough just to print the new questions at the end of the new version, not the whole document. Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to feedback@Prepking.com. You should include the following: Exam number, version, page number, question number, and your login ID. Our experts will answer your mail promptly. Copyright Each PDF file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular PDF file is being distributed by you, Prepking reserves the right to take legal action against you according to the International Copyright Laws. Explanations This product does not include explanations at the moment. If you are interested in providing explanations for this exam, please contact feedback@Prepking.com.

www.Prepking.com

 1. The end of a logical file to the end of the cluster that the file ends in is called: A. Unallocated space B. Allocated space C. Available space D. Slack Answer: D 2. The boot partition table found at the beginning of a hard drive is located in what sector? A. Volume boot record B. Master boot record C. Master file table D. Volume boot sector Answer: B 3. What information in a FAT file system directory entry refers to the location of a file on the hard drive? A. The file size B. The file attributes C. The starting cluster D. The fragmentation settings Answer: C 4. A logical file would be best described as: A. The data from the beginning of the starting cluster to the length of the file. B. The data taken from the starting cluster to the end of the last cluster that is occupied by the file. C. A file including any RAM and disk slack. D. A file including only RAM slack. Answer: A 5. A case file can contain ____ hard drive images? A. 1 B. 5 C. 10 D. any number of Answer: D 6. Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with a standard DOS 6.22 boot disk. A. True B. False Answer: B
www.Prepking.com

 7. Select the appropriate name for the highlighted area of the binary numbers.

A. Word B. Nibble C. Bit D. Dword E. Byte Answer: E 8. If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed? A. EnCase will detect the error when that area of the evidence file is accessed by the user. B. EnCase detect the error if the evidence file is manually re-verified. C. EnCase will allow the examiner to continue to access the rest of the evidence file that has not been changed. D. All of the above. Answer: D 9. The BIOS chip on an IBM clone computer is most commonly located on: A. The motherboard B. The controller card C. The microprocessor D. The RAM chip Answer: A 10. Consider the following path in a FAT file system: the directory bikes receive its name? A. From the My Pictures directory B. From itself C. From the root directory c:\ D. From the My Documents directory Answer: A 11. The following GREP expression was typed in exactly as shown. result. 800[) \-]+555-1212
www.Prepking.com

C:\My Documents\My Pictures\Bikes. Where does

Choose the answer(s) that would

 A. 800.555.1212 B. 8005551212 C. 800-555 1212 D. (800) 555-1212 Answer: D 12. How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written? A. The .case file writes a CRC value for the case information and verifies it when the case is opened. B. EnCase does not verify the case information and case information can be changed by the user as it becomes necessary. C. EnCase writes a CRC value of the case information and verifies the CRC value when the evidence is added to a case. D. EnCase writes an MD5 hash value for the entire evidence file, which includes the case information, and verifies the MD5 hash when the evidence is added to a case. Answer: C 13. Which of the following statements is more accurate? A. The Recycle Bin increases the chance of locating the existence of a file on a computer. B. The Recycle Bin reduces the chance of locating the existence of a file on a computer. Answer: A 14. The first sector on a volume is called the: A. Volume boot device B. Master boot record C. Master file table D. Volume boot sector or record Answer: D 15. When an EnCase user double-clicks on a file within EnCase what determines the action that will result? A. The settings in the case file. B. The setting in the evidence file. C. The settings in the FileTypes.ini file. D. Both a and b. Answer: C 16. The following GREP expression was typed in exactly as shown. result. Bob@[a-z]+.com A. Bob@America.com B. Bob@New zealand.com
www.Prepking.com

Choose the answer(s) that would

 C. Bob@a-z.com D. Bob@My-Email.com Answer: A 17. The following GREP expression was typed in exactly as shown. result. [^a-z]Tom[^a-z] A. Stomp B. Tomato C. Tom D. Toms Answer: C 18. The following GREP expression was typed in exactly as shown. result. [\x00-\x05]\x00\x00\x00?[\x00-\x05]\x00\x00\x00 A. 00 00 00 01 FF FF BA B. FF 00 00 00 00 FF BA C. 04 00 00 00 FF FF BA D. 04 06 00 00 00 FF FF BA Answer: C 19. This question addresses the EnCase for Windows search process. If a target word is within a logical Choose the answer(s) that would Choose the answer(s) that would

file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search: A. Will not find it because the letters of the keyword are not contiguous. B. Will not find it unless File slack is checked on the search dialog box. C. Will find it because EnCase performs a logical search. D. Will not find it because EnCase performs a physical search only. Answer: C 20. When a file is deleted in the FAT file system, what happens to the FAT? A. It is deleted as well. B. Nothing. C. The FAT entries for that file are marked as allocated. D. The FAT entries for that file are marked as available. Answer: D 21. In DOS and Windows, how many bytes are in one FAT directory entry? A. 8 B. 16 C. 32 D. 64
www.Prepking.com

 E. Variable Answer: C 22. When a non-compressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence will remain the same for both files. A. True B. False Answer: A 23. An EnCase evidence file of a hard drive ________ be restored to another hard drive of equal or greater size. A. can B. cannot Answer: A 24. A hard drive has been formatted as NTFS and Windows XP was installed. The user used fdisk to remove all partitions from that drive. Nothing else was done. You have imaged the drive and have opened

the evidence file with EnCase. What would be the best way to examine this hard drive? A. Conduct a physical search of the hard drive and bookmark any evidence. B. Use the add Partition feature to rebuild the partition and then examine the system. C. Use the recovered Deleted Partitions feature and then examine the system. D. EnCase will not see a drive that has been fdisked. Answer: B 25. How are the results of a signature analysis examined? A. By sorting on the signature column in the table view. B. By sorting on the hash library column in the table view. C. By sorting on the hash sets column in the table view D. By sorting on the category column in the table view. Answer: A 26. A CPU is: A. An entire computer box, not including the monitor and other attached peripheral devices. B. A motherboard with all required devices connected. C. A Central Programming Unit. D. A chip that would be considered the brain of a computer, which is installed on a motherboard. Answer: D 27. If a floppy diskette is in the a drive, the computer will always boot to that drive before any other device. A. True B. False
www.Prepking.com

 Answer: B 28. During the power-up sequence, which of the following happens first? A. The boot sector is located on the hard drive. B. The power On Self-Test. C. The floppy drive is checked for a diskette. D. The BIOS on an add-in card is executed. Answer: B 29. A hard drive has 8 sectors per cluster. many clusters will be used by Mystuff.doc? A. 1 B. 2 C. 3 D. 4 Answer: D 30. Select the appropriate name for the highlighted area of the binary numbers. File Mystuff.doc has a logical file size of 13,000 bytes. How

A. Word B. Nibble C. Bit D. Dword E. Byte Answer: C 31. The following GREP expression was typed in exactly as shown. result. Jan 1 st , 2?0?00 A. Jan 1st, 1900 B. Jan 1st, 2000 C. Jan 1st, 2001 D. Jan 1st, 2100 Answer: B 32. EnCase can make an image of a USB flash drive. A. True
www.Prepking.com

Choose the answer(s) that would

 B. False Answer: A 33. All investigators using EnCase should run tests on the evidence file acquisition and verification process to: A. Further the investigator understanding of the evidence file. B. Give more weight to the investigator testimony in court. C. Insure that the investigator is using the proper method of acquisition. D. All of the above. Answer: D 34. Within EnCase, clicking on save on the toolbar affects what file(s)? A. The open case file B. The configuration .ini files C. The evidence files D. All of the above Answer: A 35. Hash libraries are commonly used to: A. Identify files that are already known to the user. B. Compare one hash set with another hash set. C. Verify the evidence file. D. Compare a file header to a file extension. Answer: A 36. You are investigating a case of child pornography on a hard drive containing Windows XP. In the

C:\Documents and Settings\Bad Guy\Local Settings\Temporary Internet Files folder you find three images of child pornography. You find no other copies of the images on the suspect hard drive, and you find no other copies of the filenames. What can be deduced from your findings? A. The presence and location of the images is strong evidence of possession. B. The presence and location of the images is not strong evidence of possession. C. The presence and location of the images proves the images were intentionally downloaded. D. Both a and c Answer: B 37. Which of the following items could contain digital evidence? A. Cellular phones B. Digital cameras C. Personal assistant devices D. Credit card readers
www.Prepking.com

 Answer: ABCD 38. Bookmarks are stored in which of the following files? A. The case file B. The configuration Bookmarks.ini file C. The evidence file D. All of the above Answer: A 39. Two allocated files can occupy one cluster, as long as they can both fit within the allotted number of bytes. A. True B. False Answer: B 40. A SCSI host adapter would most likely perform which of the following tasks? A. Make SCSI hard drives and other SCSI devices accessible to the operating system. B. Configure the motherboard settings to the BIOS. C. Set up the connection of IDE hard drives. D. None of the above. Answer: A 41. How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? A. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. B. By means of a CRC value of the suspect hard drive compared to a CRC value of the data stored in the evidence file. C. By means of an MD5 hash value of the evidence file itself. D. By means of a CRC value of the evidence file itself. Answer: A 42. In DOS acquisition mode, if a physical drive is detected, but no partition information is displayed, what would be the cause: A. There are no partitions present. B. The partition scheme is not recognized by DOS. C. Both a and b D. Neither a or b Answer: C 43. RAM is used by the computer to: A. Permanently store electronic data.
www.Prepking.com

100% Pass Guaranteed or Full Refund Word to Word Real Exam Questions from Real Test Buy full version of exam from this link below http://www.prepking.com/GD0-110.htm